But you would like to be notifiedby your neighbours if you have left your window open while away, right? Or are you going to sue them for attempted break-in?

The issue is not that its illegal to put on a white hat, break into the user database and steal 125 million accounts as proof of security issue.

The problem is people getting sued for saying "Hey, I stumbled upon the fact that you can log into any account by appending the account-number to the url of your website.".

There certainly is a line seperating ethical hacking (if you can even call it hacking in some cases) and prodding and probing at random targets in the name of mischief and chaos.

Analogy with the physical world falls apart here. Few people would want to enshrine an exemption from trespassing someone walking house-to-house jiggling door handles and pushing on windows to see what's unlocked. If anything you may want to make it an explicit crime to do it systematically, as opposed to "targeting" a neighbor's house. In fact, I think this constitutes prowling, which is a crime in many places.

But for white-hat hacking you want prowling. And it's very difficult to create technical definitions that productively distinguish "good" prowlers from "bad" prowlers. So why even try to draw a distinction between types of prowlers? Maybe prowling information systems online shouldn't be a crime at all, given the nature of information systems.